Updates on WordPress security, Wordfence and what we're cooking in the lab today.

Wordfence Blog

Akismet XSS Vulnerability

This entry was posted in WordPress Security on October 19, 2015 by Mark Maunder   6 Replies

A vulnerability in Akismet emerged last week and because Akismet is one of the most widely used plugins for WordPress, we wanted to bring it to your attention.

Akismet is a comment spam filter for WordPress and in general, it does a great job. The Akismet team announced on their blog last week that a cross site scripting (XSS) vulnerability had been discovered in all versions of Akismet since 2.5.0.

The vulnerability allows an attacker to post a comment on a WordPress site which will execute javascript in the WordPress admin console. This is a typical XSS vulnerability pattern and one of the attacks it enables would allow an attacker to steal a WordPress administrator’s cookies and gain administrative access to a WordPress website.

There is no evidence that the vulnerability has been exploited in the wild. The Akismet and WordPress teams immediately took the following actions:

  • They released updates for all affected versions of Akismet.
  • The WordPress.org team issued an automatic update of the Akismet plugin on affected sites. If you noticed that your WordPress site was automatically upgraded to the newest version of Akismet, that is why.
  • The Akismet team modified their API so that if a hacker did try to exploit a vulnerable version of Akismet, their API would block the attack by filtering out the comment the hacker tried to post. What this means is that as soon as the vulnerability was discovered and the Akismet team made this change, even vulnerable versions of Akismet were no longer exploitable.

Kudos to the Akismet team for responding to this so rapidly and comprehensively. If you’re running Akismet, we recommend you sign into your WordPess site and make sure that Akismet has been updated to the newest version.


Did you enjoy this post? Share it!

6 Comments on "Akismet XSS Vulnerability"

Haroun October 19, 2015 at 1:03 pm

DisQus is my current choice, though the vanilla WordPress still have their appeal for me posting comments :)

Anton October 22, 2015 at 1:55 am

Which version of akismet is fixed?

mark October 22, 2015 at 9:43 am

Akismet 3.1.5 is the security release.

Tony October 26, 2015 at 4:17 am

Thanks for sharing.

Naaifa Sultana November 16, 2015 at 12:43 am

Thank you very much Mark

Gaetan November 17, 2015 at 3:18 am

Thanks for this information. I have Akismet on my WordPress website.

Follow Us


Protect your websites with the #1 WordPress Security Plugin

Get Premium
Over 150 million downloads

Wordfence Newsletter

Get WordPress Security Alerts and Product Updates